kubevirt/0010-Fix-PR-leftover-mount-and-perms.patch

From dd782727364aaa2f2914b86ab21bd6ed34c8db7e Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Thu, 27 Jul 2023 09:15:31 +0200
Subject: [PATCH 1/8] Drop redundant use of fmt.Sprintf

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
---
 pkg/storage/reservation/pr.go | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/pkg/storage/reservation/pr.go b/pkg/storage/reservation/pr.go
index 5ab0dec4c..afda2c8b4 100644
--- a/pkg/storage/reservation/pr.go
+++ b/pkg/storage/reservation/pr.go
@@ -1,7 +1,6 @@
 package reservation
 
 import (
-	"fmt"
 	"path/filepath"
 
 	v1 "kubevirt.io/api/core/v1"
@@ -20,15 +19,15 @@ func GetPrResourceName() string {
 }
 
 func GetPrHelperSocketDir() string {
-	return fmt.Sprintf(filepath.Join(sourceDaemonsPath, prHelperDir))
+	return filepath.Join(sourceDaemonsPath, prHelperDir)
 }
 
 func GetPrHelperHostSocketDir() string {
-	return fmt.Sprintf(filepath.Join(hostSourceDaemonsPath, prHelperDir))
+	return filepath.Join(hostSourceDaemonsPath, prHelperDir)
 }
 
 func GetPrHelperSocketPath() string {
-	return fmt.Sprintf(filepath.Join(GetPrHelperSocketDir(), prHelperSocket))
+	return filepath.Join(GetPrHelperSocketDir(), prHelperSocket)
 }
 
 func GetPrHelperSocket() string {
-- 
2.41.0


From b0e7d191686d90a61143beb73dd97e773d5d21de Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Thu, 27 Jul 2023 09:18:36 +0200
Subject: [PATCH 2/8] Run pr-helper container as qemu (107) user

The ownership of the /var/run/kubevirt/daemons/pr directory is currently
set to 107:107 while by default the container is run under a non-root
user 1001 (which does not have write permissions to that directory).
Since the container is privileged, qemu-pr-helper initially has the
capabilities to create the socket in that directory. However, after the
daemon has been initialized, it drops the capabilities and this
eventually leads to 'Permission denied' error when the daemon tries to
remove the socket during termination. Running the container under qemu
user ensures the cleanup is done properly.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
---
 pkg/virt-operator/resource/generate/components/BUILD.bazel   | 1 +
 pkg/virt-operator/resource/generate/components/daemonsets.go | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/pkg/virt-operator/resource/generate/components/BUILD.bazel b/pkg/virt-operator/resource/generate/components/BUILD.bazel
index 0f4625a44..4f0046de0 100644
--- a/pkg/virt-operator/resource/generate/components/BUILD.bazel
+++ b/pkg/virt-operator/resource/generate/components/BUILD.bazel
@@ -22,6 +22,7 @@ go_library(
         "//pkg/certificates/triple:go_default_library",
         "//pkg/certificates/triple/cert:go_default_library",
         "//pkg/storage/reservation:go_default_library",
+        "//pkg/util:go_default_library",
         "//pkg/virt-operator/util:go_default_library",
         "//staging/src/kubevirt.io/api/clone:go_default_library",
         "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go
index 9066fd23a..c254f1ff2 100644
--- a/pkg/virt-operator/resource/generate/components/daemonsets.go
+++ b/pkg/virt-operator/resource/generate/components/daemonsets.go
@@ -13,6 +13,7 @@ import (
 	virtv1 "kubevirt.io/api/core/v1"
 
 	"kubevirt.io/kubevirt/pkg/storage/reservation"
+	"kubevirt.io/kubevirt/pkg/util"
 	operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util"
 )
 
@@ -41,6 +42,7 @@ func RenderPrHelperContainer(image string, pullPolicy corev1.PullPolicy) corev1.
 			},
 		},
 		SecurityContext: &corev1.SecurityContext{
+			RunAsUser:  pointer.Int64(util.NonRootUID),
 			Privileged: pointer.Bool(true),
 		},
 	}
-- 
2.41.0


From 3ddd3d783dcab7100041f8434157adf98042978c Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Thu, 27 Jul 2023 10:38:52 +0200
Subject: [PATCH 3/8] Do not mount pr-helper-socket-vol to virt-handler

It turns out that having two host path volumes originating at the same
root (e.g. /var/run/kubevirt and /var/run/kubevirt/daemons/pr) in a pod
and bind-mounted with bidirectional propagation to a container leads to
side effects. That creates additional mount points on the host that are
not cleaned up afterward:

$ mount | grep daemon
tmpfs on /run/kubevirt/daemons/pr type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /run/kubevirt/daemons/pr type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /run/kubevirt/daemons/pr type tmpfs (rw,nosuid,nodev,seclabel,mode=755)

Since the virt-handler container already has the host path volume
/var/run/kubevirt mounted, it can be used to access the pr-helper
socket at /var/run/kubevirt/daemons/pr.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
---
 .../resource/generate/components/daemonsets.go      | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go
index c254f1ff2..229b8e24e 100644
--- a/pkg/virt-operator/resource/generate/components/daemonsets.go
+++ b/pkg/virt-operator/resource/generate/components/daemonsets.go
@@ -276,9 +276,6 @@ func NewHandlerDaemonSet(namespace, repository, imagePrefix, version, launcherVe
 		{"kubelet-pods", kubeletPodsPath, kubeletPodsPath, &bidi},
 		{"node-labeller", "/var/lib/kubevirt-node-labeller", "/var/lib/kubevirt-node-labeller", nil},
 	}
-	if enablePrHelper {
-		volumes = append(volumes, volume{prVolumeName, reservation.GetPrHelperSocketDir(), reservation.GetPrHelperSocketDir(), &bidi})
-	}
 
 	for _, volume := range volumes {
 		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
@@ -328,6 +325,16 @@ func NewHandlerDaemonSet(namespace, repository, imagePrefix, version, launcherVe
 	}
 
 	if enablePrHelper {
+		directoryOrCreate := corev1.HostPathDirectoryOrCreate
+		pod.Volumes = append(pod.Volumes, corev1.Volume{
+			Name: prVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				HostPath: &corev1.HostPathVolumeSource{
+					Path: reservation.GetPrHelperSocketDir(),
+					Type: &directoryOrCreate,
+				},
+			},
+		})
 		pod.Containers = append(pod.Containers, RenderPrHelperContainer(prHelperImage, pullPolicy))
 	}
 	return daemonset, nil
-- 
2.41.0


From dd7807a4b3f03cee76965e5273e1ea5381b41b7a Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Thu, 27 Jul 2023 11:15:19 +0200
Subject: [PATCH 4/8] tests: Ensure proper cleanup (scsi reservation)

Check that after PersistentReservation feature gate is disabled, no
mount points or socket files are left behind.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
---
 tests/storage/BUILD.bazel    |  1 +
 tests/storage/reservation.go | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/tests/storage/BUILD.bazel b/tests/storage/BUILD.bazel
index f605404fc..21414efbd 100644
--- a/tests/storage/BUILD.bazel
+++ b/tests/storage/BUILD.bazel
@@ -22,6 +22,7 @@ go_library(
         "//pkg/apimachinery/patch:go_default_library",
         "//pkg/certificates/triple/cert:go_default_library",
         "//pkg/host-disk:go_default_library",
+        "//pkg/storage/reservation:go_default_library",
         "//pkg/storage/types:go_default_library",
         "//pkg/virt-config:go_default_library",
         "//pkg/virt-launcher/virtwrap/converter:go_default_library",
diff --git a/tests/storage/reservation.go b/tests/storage/reservation.go
index a09853060..e233e53e4 100644
--- a/tests/storage/reservation.go
+++ b/tests/storage/reservation.go
@@ -17,12 +17,14 @@ import (
 	v1 "kubevirt.io/api/core/v1"
 	"kubevirt.io/client-go/kubecli"
 
+	"kubevirt.io/kubevirt/pkg/storage/reservation"
 	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
 	"kubevirt.io/kubevirt/tests"
 	"kubevirt.io/kubevirt/tests/console"
 	"kubevirt.io/kubevirt/tests/exec"
 	"kubevirt.io/kubevirt/tests/flags"
 	"kubevirt.io/kubevirt/tests/framework/checks"
+	"kubevirt.io/kubevirt/tests/libnode"
 	"kubevirt.io/kubevirt/tests/libstorage"
 	"kubevirt.io/kubevirt/tests/libvmi"
 	"kubevirt.io/kubevirt/tests/libwait"
@@ -295,6 +297,16 @@ var _ = SIGDescribe("[Serial]SCSI persistent reservation", Serial, func() {
 				}
 				return len(ds.Spec.Template.Spec.Containers) == 1
 			}, time.Minute*5, time.Second*2).Should(BeTrue())
+
+			nodes := libnode.GetAllSchedulableNodes(virtClient)
+			for _, node := range nodes.Items {
+				output, err := tests.ExecuteCommandInVirtHandlerPod(node.Name, []string{"mount"})
+				Expect(err).ToNot(HaveOccurred())
+				Expect(output).ToNot(ContainSubstring("kubevirt/daemons/pr"))
+				output, err = tests.ExecuteCommandInVirtHandlerPod(node.Name, []string{"ls", reservation.GetPrHelperSocketDir()})
+				Expect(err).ToNot(HaveOccurred())
+				Expect(output).To(BeEmpty())
+			}
 		})
 	})
 
-- 
2.41.0


From fac107640550d1b9a10150ed355087b0d8a39540 Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Thu, 27 Jul 2023 13:42:42 +0200
Subject: [PATCH 5/8] tests: Ensure KubeVirt is ready (scsi reservation)

Switching the PersistentReservation feature gate on/off causes
redeployment of all the components. Ensure KubeVirt is ready before
moving on.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
---
 tests/storage/reservation.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tests/storage/reservation.go b/tests/storage/reservation.go
index e233e53e4..ef775baed 100644
--- a/tests/storage/reservation.go
+++ b/tests/storage/reservation.go
@@ -208,6 +208,10 @@ var _ = SIGDescribe("[Serial]SCSI persistent reservation", Serial, func() {
 			pv, pvc, err = tests.CreatePVandPVCwithSCSIDisk(node, device, util.NamespaceTestDefault, "scsi-disks", "scsipv", "scsipvc")
 			Expect(err).ToNot(HaveOccurred())
 			waitForVirtHandlerWithPrHelperReadyOnNode(node)
+			// Switching the PersistentReservation feature gate on/off
+			// causes redeployment of all KubeVirt components.
+			By("Ensuring all KubeVirt components are ready")
+			testsuite.EnsureKubevirtReady()
 		})
 
 		AfterEach(func() {
@@ -298,6 +302,11 @@ var _ = SIGDescribe("[Serial]SCSI persistent reservation", Serial, func() {
 				return len(ds.Spec.Template.Spec.Containers) == 1
 			}, time.Minute*5, time.Second*2).Should(BeTrue())
 
+			// Switching the PersistentReservation feature gate on/off
+			// causes redeployment of all KubeVirt components.
+			By("Ensuring all KubeVirt components are ready")
+			testsuite.EnsureKubevirtReady()
+
 			nodes := libnode.GetAllSchedulableNodes(virtClient)
 			for _, node := range nodes.Items {
 				output, err := tests.ExecuteCommandInVirtHandlerPod(node.Name, []string{"mount"})
-- 
2.41.0


From bb55f6403e8714e116e97f6cfeff3ca086863286 Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Tue, 1 Aug 2023 12:47:22 +0200
Subject: [PATCH 6/8] Support relabeling of unix sockets

An attempt to open a UNIX domain socket returns ENXIO making it hard to
obtain a file descriptor. Instead, manage the selinux label attributes
using the functions that work with file paths.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
---
 cmd/virt-chroot/BUILD.bazel |  1 +
 cmd/virt-chroot/selinux.go  | 21 +++++++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/cmd/virt-chroot/BUILD.bazel b/cmd/virt-chroot/BUILD.bazel
index 250a25bf2..fd26041a0 100644
--- a/cmd/virt-chroot/BUILD.bazel
+++ b/cmd/virt-chroot/BUILD.bazel
@@ -17,6 +17,7 @@ go_library(
         "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library",
         "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2:go_default_library",
         "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
+        "//vendor/github.com/opencontainers/selinux/go-selinux:go_default_library",
         "//vendor/github.com/spf13/cobra:go_default_library",
         "//vendor/github.com/vishvananda/netlink:go_default_library",
         "//vendor/golang.org/x/sys/unix:go_default_library",
diff --git a/cmd/virt-chroot/selinux.go b/cmd/virt-chroot/selinux.go
index b8bb3976f..e2c4a4aba 100644
--- a/cmd/virt-chroot/selinux.go
+++ b/cmd/virt-chroot/selinux.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/spf13/cobra"
 	"golang.org/x/sys/unix"
 
@@ -62,10 +63,15 @@ func RelabelCommand() *cobra.Command {
 			if err != nil {
 				return fmt.Errorf("could not open file %v. Reason: %v", safePath, err)
 			}
-
 			defer fd.Close()
 			filePath := fd.SafePath()
 
+			if fileInfo, err := safepath.StatAtNoFollow(safePath); err != nil {
+				return fmt.Errorf("could not stat file %v. Reason: %v", safePath, err)
+			} else if (fileInfo.Mode() & os.ModeSocket) != 0 {
+				return relabelUnixSocket(filePath, label)
+			}
+
 			writeableFD, err := os.OpenFile(filePath, os.O_APPEND|unix.S_IWRITE, os.ModePerm)
 			if err != nil {
 				return fmt.Errorf("error reopening file %s to write label %s. Reason: %v", filePath, label, err)
@@ -74,7 +80,7 @@ func RelabelCommand() *cobra.Command {
 
 			currentFileLabel, err := getLabel(writeableFD)
 			if err != nil {
-				return fmt.Errorf("faild to get selinux label for file %v: %v", filePath, err)
+				return fmt.Errorf("failed to get selinux label for file %v: %v", filePath, err)
 			}
 
 			if currentFileLabel != label {
@@ -108,3 +114,14 @@ func getLabel(file *os.File) (string, error) {
 	}
 	return string(buffer[:labelLength]), nil
 }
+
+func relabelUnixSocket(filePath, label string) error {
+	if currentLabel, err := selinux.FileLabel(filePath); err != nil {
+		return fmt.Errorf("could not retrieve label of file %s. Reason: %v", filePath, err)
+	} else if currentLabel != label {
+		if err := unix.Setxattr(filePath, xattrNameSelinux, []byte(label), 0); err != nil {
+			return fmt.Errorf("error relabeling file %s with label %s. Reason: %v", filePath, label, err)
+		}
+	}
+	return nil
+}
-- 
2.41.0


From 2867dd61c3cdb65c7a195e37c2064a23b285bcee Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Tue, 1 Aug 2023 13:04:25 +0200
Subject: [PATCH 7/8] Relabel PR helper socket in device plugin

This will ensure that a proper selinux label is set on the socket when
it is allocated to a VM pod.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
---
 cmd/virt-handler/virt-handler.go                 | 15 +--------------
 pkg/util/util.go                                 | 16 +++++++++-------
 pkg/virt-handler/device-manager/socket_device.go |  9 +++++++++
 3 files changed, 19 insertions(+), 21 deletions(-)

diff --git a/cmd/virt-handler/virt-handler.go b/cmd/virt-handler/virt-handler.go
index f0e379b7f..6a915d9ba 100644
--- a/cmd/virt-handler/virt-handler.go
+++ b/cmd/virt-handler/virt-handler.go
@@ -129,8 +129,6 @@ const (
 
 	// Default network-status downward API file path
 	defaultNetworkStatusFilePath = "/etc/podinfo/network-status"
-
-	unprivilegedContainerSELinuxLabel = "system_u:object_r:container_file_t:s0"
 )
 
 type virtHandlerApp struct {
@@ -420,7 +418,7 @@ func (app *virtHandlerApp) Run() {
 		if err != nil {
 			panic(err)
 		}
-		err = selinux.RelabelFiles(unprivilegedContainerSELinuxLabel, se.IsPermissive(), devTun, devNull)
+		err = selinux.RelabelFiles(util.UnprivilegedContainerSELinuxLabel, se.IsPermissive(), devTun, devNull)
 		if err != nil {
 			panic(fmt.Errorf("error relabeling required files: %v", err))
 		}
@@ -564,18 +562,7 @@ func (app *virtHandlerApp) shouldEnablePersistentReservation() {
 	if err != nil {
 		panic(err)
 	}
-	se, exists, err := selinux.NewSELinux()
-	if err == nil && exists {
-		err = selinux.RelabelFiles(unprivilegedContainerSELinuxLabel, se.IsPermissive(), prSockDir)
-		if err != nil {
-			panic(fmt.Errorf("error relabeling required files: %v", err))
-		}
-	} else if err != nil {
-		panic(fmt.Errorf("failed to detect the presence of selinux: %v", err))
-	}
-
 	log.DefaultLogger().Infof("set permission for %s", reservation.GetPrHelperHostSocketDir())
-
 }
 
 func (app *virtHandlerApp) runPrometheusServer(errCh chan error) {
diff --git a/pkg/util/util.go b/pkg/util/util.go
index dbf14064a..fef626f9f 100644
--- a/pkg/util/util.go
+++ b/pkg/util/util.go
@@ -27,15 +27,17 @@ const (
 	HostRootMount                             = "/proc/1/root/"
 	CPUManagerOS3Path                         = HostRootMount + "var/lib/origin/openshift.local.volumes/cpu_manager_state"
 	CPUManagerPath                            = HostRootMount + "var/lib/kubelet/cpu_manager_state"
-)
 
-// Alphanums is the list of alphanumeric characters used to create a securely generated random string
-const Alphanums = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+	// Alphanums is the list of alphanumeric characters used to create a securely generated random string
+	Alphanums = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+
+	NonRootUID         = 107
+	NonRootUserString  = "qemu"
+	RootUser           = 0
+	memoryDumpOverhead = 100 * 1024 * 1024
 
-const NonRootUID = 107
-const NonRootUserString = "qemu"
-const RootUser = 0
-const memoryDumpOverhead = 100 * 1024 * 1024
+	UnprivilegedContainerSELinuxLabel = "system_u:object_r:container_file_t:s0"
+)
 
 func IsNonRootVMI(vmi *v1.VirtualMachineInstance) bool {
 	_, ok := vmi.Annotations[v1.DeprecatedNonRootVMIAnnotation]
diff --git a/pkg/virt-handler/device-manager/socket_device.go b/pkg/virt-handler/device-manager/socket_device.go
index fdac11662..53308b648 100644
--- a/pkg/virt-handler/device-manager/socket_device.go
+++ b/pkg/virt-handler/device-manager/socket_device.go
@@ -40,6 +40,7 @@ import (
 	"kubevirt.io/kubevirt/pkg/safepath"
 	"kubevirt.io/kubevirt/pkg/util"
 	pluginapi "kubevirt.io/kubevirt/pkg/virt-handler/device-manager/deviceplugin/v1beta1"
+	"kubevirt.io/kubevirt/pkg/virt-handler/selinux"
 )
 
 type SocketDevicePlugin struct {
@@ -220,6 +221,14 @@ func (dpi *SocketDevicePlugin) Allocate(ctx context.Context, r *pluginapi.Alloca
 		return nil, fmt.Errorf("error setting the permission the socket %s/%s:%v", dpi.socketDir, dpi.socket, err)
 	}
 
+	if se, exists, err := selinux.NewSELinux(); err == nil && exists {
+		if err := selinux.RelabelFiles(util.UnprivilegedContainerSELinuxLabel, se.IsPermissive(), prSock); err != nil {
+			return nil, fmt.Errorf("error relabeling required files: %v", err)
+		}
+	} else if err != nil {
+		return nil, fmt.Errorf("failed to detect the presence of selinux: %v", err)
+	}
+
 	m := new(pluginapi.Mount)
 	m.HostPath = dpi.socketDir
 	m.ContainerPath = dpi.socketDir
-- 
2.41.0


From 128599fb4d138723991dd46e741f86dc1561488f Mon Sep 17 00:00:00 2001
From: Alice Frosi <afrosi@redhat.com>
Date: Fri, 4 Aug 2023 13:27:40 +0200
Subject: [PATCH 8/8] pr-helper: set user to root

The image is built with user 1000 by default and the container is
created automatically with this user. Setting explicitly the user to
root, it avoids permission conflicts.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
---
 cmd/virt-handler/BUILD.bazel                  |  1 -
 cmd/virt-handler/virt-handler.go              | 19 -------------------
 .../device-manager/socket_device.go           |  1 -
 .../generate/components/daemonsets.go         |  2 +-
 4 files changed, 1 insertion(+), 22 deletions(-)

diff --git a/cmd/virt-handler/BUILD.bazel b/cmd/virt-handler/BUILD.bazel
index 4299bc688..88e684e9a 100644
--- a/cmd/virt-handler/BUILD.bazel
+++ b/cmd/virt-handler/BUILD.bazel
@@ -19,7 +19,6 @@ go_library(
         "//pkg/monitoring/workqueue/prometheus:go_default_library",
         "//pkg/safepath:go_default_library",
         "//pkg/service:go_default_library",
-        "//pkg/storage/reservation:go_default_library",
         "//pkg/util:go_default_library",
         "//pkg/util/ratelimiter:go_default_library",
         "//pkg/util/tls:go_default_library",
diff --git a/cmd/virt-handler/virt-handler.go b/cmd/virt-handler/virt-handler.go
index 6a915d9ba..f07623453 100644
--- a/cmd/virt-handler/virt-handler.go
+++ b/cmd/virt-handler/virt-handler.go
@@ -33,7 +33,6 @@ import (
 	"syscall"
 	"time"
 
-	"kubevirt.io/kubevirt/pkg/storage/reservation"
 	kvtls "kubevirt.io/kubevirt/pkg/util/tls"
 	"kubevirt.io/kubevirt/pkg/virt-handler/seccomp"
 	"kubevirt.io/kubevirt/pkg/virt-handler/vsock"
@@ -315,7 +314,6 @@ func (app *virtHandlerApp) Run() {
 	app.clusterConfig.SetConfigModifiedCallback(app.shouldChangeLogVerbosity)
 	app.clusterConfig.SetConfigModifiedCallback(app.shouldChangeRateLimiter)
 	app.clusterConfig.SetConfigModifiedCallback(app.shouldInstallKubevirtSeccompProfile)
-	app.clusterConfig.SetConfigModifiedCallback(app.shouldEnablePersistentReservation)
 
 	if err := app.setupTLS(factory); err != nil {
 		glog.Fatalf("Error constructing migration tls config: %v", err)
@@ -548,23 +546,6 @@ func (app *virtHandlerApp) shouldInstallKubevirtSeccompProfile() {
 
 }
 
-func (app *virtHandlerApp) shouldEnablePersistentReservation() {
-	enabled := app.clusterConfig.PersistentReservationEnabled()
-	if !enabled {
-		log.DefaultLogger().Info("Persistent Reservation is not enabled")
-		return
-	}
-	prSockDir, err := safepath.JoinAndResolveWithRelativeRoot("/", reservation.GetPrHelperHostSocketDir())
-	if err != nil {
-		panic(err)
-	}
-	err = safepath.ChownAtNoFollow(prSockDir, util.NonRootUID, util.NonRootUID)
-	if err != nil {
-		panic(err)
-	}
-	log.DefaultLogger().Infof("set permission for %s", reservation.GetPrHelperHostSocketDir())
-}
-
 func (app *virtHandlerApp) runPrometheusServer(errCh chan error) {
 	mux := restful.NewContainer()
 	webService := new(restful.WebService)
diff --git a/pkg/virt-handler/device-manager/socket_device.go b/pkg/virt-handler/device-manager/socket_device.go
index 53308b648..14e9f86df 100644
--- a/pkg/virt-handler/device-manager/socket_device.go
+++ b/pkg/virt-handler/device-manager/socket_device.go
@@ -220,7 +220,6 @@ func (dpi *SocketDevicePlugin) Allocate(ctx context.Context, r *pluginapi.Alloca
 	if err != nil {
 		return nil, fmt.Errorf("error setting the permission the socket %s/%s:%v", dpi.socketDir, dpi.socket, err)
 	}
-
 	if se, exists, err := selinux.NewSELinux(); err == nil && exists {
 		if err := selinux.RelabelFiles(util.UnprivilegedContainerSELinuxLabel, se.IsPermissive(), prSock); err != nil {
 			return nil, fmt.Errorf("error relabeling required files: %v", err)
diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go
index 229b8e24e..fccc4161a 100644
--- a/pkg/virt-operator/resource/generate/components/daemonsets.go
+++ b/pkg/virt-operator/resource/generate/components/daemonsets.go
@@ -42,7 +42,7 @@ func RenderPrHelperContainer(image string, pullPolicy corev1.PullPolicy) corev1.
 			},
 		},
 		SecurityContext: &corev1.SecurityContext{
-			RunAsUser:  pointer.Int64(util.NonRootUID),
+			RunAsUser:  pointer.Int64(util.RootUser),
 			Privileged: pointer.Bool(true),
 		},
 	}
-- 
2.41.0